I would really like to implement SecurID, but its cost prohibitive. This nice thing about SecurID is that it provides even another layer of security. In my experience with it, I had to provide a pin, along with the current code on the fob to pass SecurID authentication, in addition to my host/network password this was true two factor authentication. My major problem with just using rsa/dsa keys or certs is that I have to use the honor system and hope my user base is protecting their key or cert with a strong password/passphrase. So I have to assume they are not. Then there is the problem of securing the rsa/dsa key or cert, I can not assume my users have any type of security set up on their remote machines as I can not, nor want to, maintain their remote networks. Which brings me back to password authentication. If I were able to require both a rsa/dsa key or cert in addition to providing a host password (which I could enforce complexity and expiration times on) I think it would give me reasonable two factor authentication without the hefty costs associated with SecurID or similar systems Thanks to all of you that have taken the time to read and to respond to this thread, I appreciate your feedback. Cheers, Ryan